所以我用openssl创建了一个证书,其中包含* .dev和d.dev在其SAN中。出于某种原因访问https://d.dev工作,但访问https://c.dev失败与NET::ERR_CERT_COMMON_NAME_INVALID
命令
openssl genrsa -out rootCA.key.pem 4096
openssl req -x509 -new -subj '/C=DE/ST=00/O=mkg20001, Inc.' -nodes -key rootCA.key.pem -sha256 -days 1024 -out rootCA.crt.pem
openssl genrsa -out "dev.key.pem" 4096
openssl req -new -sha256 \
-key "dev.key.pem" \
-subj "/C=DE/ST=00/O=mkg20001, Inc./CN=dev" \
-extensions SAN \
-reqexts SAN \
-config <(cat /etc/ssl/openssl.cnf \
<(printf "\n[SAN]\nsubjectAltName='DNS.1:dev,DNS.2:*.dev,DNS.3:*.*.dev,DNS.4:d.dev'")) \
-out "dev.csr.pem"
openssl x509 -req -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf \
<(printf "\n[SAN]\nsubjectAltName='DNS.1:dev,DNS.2:*.dev,DNS.3:*.*.dev,DNS.4:d.dev'")) -in "dev.csr.pem" -CA rootCA.crt.pem -CAkey rootCA.key.pem -CAcreateserial -out "dev.crt.pem" -days 500 -sha256
证书
-----BEGIN CERTIFICATE-----
MIIFIDCCAwigAwIBAgIJAI7IJYxpot4iMA0GCSqGSIb3DQEBCwUAMDMxCzAJBgNV
BAYTAkRFMQswCQYDVQQIDAIwMDEXMBUGA1UECgwObWtnMjAwMDEsIEluYy4wHhcN
MTgwOTEwMTg1MjIzWhcNMjAwMTIzMTg1MjIzWjBBMQswCQYDVQQGEwJERTELMAkG
A1UECAwCMDAxFzAVBgNVBAoMDm1rZzIwMDAxLCBJbmMuMQwwCgYDVQQDDANkZXYw
ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC/Xmoic1UgC5GH/R8WPlwJ
6DaVO/04WF2ea1zaE5fsPydvZ8Xm7YIwgrNfw0aaxRsfTKPP8PNjMl/i4WLwL58g
GrsQdL3gwpAUxiN29wzpoteTOxuYMn3UcmtzIJkIG0KcmDVlCdqnl2+qAK+EIgPl
48GFYvZnTuu4Bbe+pgSZsxN5VL6D5YwW6GXIZ4SSupHNGYsEqm3ltZBNTZUNC7yx
xXEhFzbwvg44FWh0xna0374n4u5dUvFHncraaVbayXO6Eo3mU3cnPWdqz104fjzf
spKDF7feF3osMoY1pEW2BREJT0zieh+HM6moMjX0zTHe4+tybA+XNe50fDbRq/kT
Y1Byq1J7uJVv7qYAeo0v2XXObSHoJ/s5HLyaocTYtRRg1s+jNl8vznagbvd/ZlEe
++xCC+v7PIER5g3HVONKlm5WboaenmKs79DvHRAVUtMoZMgk6t42z/wOeaXKFJTs
Dkwoj4Y/aO6gTMPKrf7XXJeAkkiJsEZE0uKHB8JsrkSB5kzxpQN2ljYqOSJqIOkx
YBcCwc9al7W0P/wrY6g/u3WmV//XWm7mRLN+3LxWDp1MucmiAipxiQ55XzJHvm/N
tSUKCCLS52Dfl5FOyMwGv9EfgbC+DZfUBNSBxLbjLRepgYu7ot6LnD0UTNHESbCa
zdu/BkKimgu2K97kEJxsEQIDAQABoykwJzAlBgNVHREEHjAcggNkZXaCBSouZGV2
ggcqLiouZGV2ggVkLmRldjANBgkqhkiG9w0BAQsFAAOCAgEADiAYY9nUrmwXSrZn
p9xiCl5NrZ36HiXrtZwAhKflcfvPmtvumS7treQtwJotWhBnxN+xzB3m9yLBTOEF
RHP88cyP4m4BBRvadGDZdaPcfT9/OfW6AtM9WmozhwzQ0yceLT9FDdYbr76Jcmu3
Pd517jxS1pXrcBW2c7/ODNQfpuNnn7OUrjKTFCRjMu/zZ0tMVtg2BuTdeHVdLswV
fspIli9ixgOJEa4l/HsX/jCW5cSXDm7KjZunHGZQF/ZiOMw+ncBoYTuEB7M4Q7TO
WcNN5ChqmrvgWNJ/39YjpvAyZtDZ3jDiQ1yOCL2/XRotYzYyjNwgNt0OKMVfgX2w
SE1JEeQFDrl7Dr3jkGJbxnsGnpcAhpR/94+WJhgzgpr7Ibq0LuBAk4VeHhqHhD0d
zZTYE7e+elHuT7LX8kolHHNJe3OBJeBswir9b50+km9ecdRXjzNm9wJ4n56fkkXj
5FCyPbPsXDCGTPOPrR2QzIwkmOZSYOZxcI5GyMbkF5dMFbaPWiF/10owB9mBDjJr
yU26hhtEWH47nZ/bgVB3/IFI8XdPl0Se8qrOKNQ0O6JxX0aQENLxDp8U3+SI5JnY
mC7OysFmhhG1HlLAdVUTVLZOIWlxL8uMpbvAfBWVIfF0OZdu1oI7lDQJgFFz8vjk
FdqlZbzL6HJagGlXAnxQee+oWA8=
-----END CERTIFICATE-----
通配符证书对子域有效,而不适用于顶级域。
例如,* .mydomain.com是有效的通配符证书,所有https子域(a.mydomain.com,b.mydomain.com)都是有效的,但* .com引用了TLD,因为它不是有效的子域,不接受通配符证书。
参考文献:https://en.m.wikipedia.org/wiki/Wildcard_certificate https://en.m.wikipedia.org/wiki/Subdomain https://en.m.wikipedia.org/wiki/Top-level_domain